10 Years in Cyberspace Security

Ten years ago, I wrote a paper on the future of cyberspace. In it, I pointed to three areas that we needed to address to make cyberspace safe for information sharing: establishing strong cyber-trust, enabling secure mobility and striking a balance between security and privacy rights.

So much has changed since then. Or has it?

Cyberspace Future Past

It’s 2005. George Walker Bush is in the White House, the National Infrastructure Advisory Council is making recommendations to the President on information systems security, and one of the top TV shows is CSI: Crime Scene Investigation, featuring an elite team of police forensic evidence investigation experts using the best scientific and technical methods to work their cases in Las Vegas.

Fast-forward 10 years and cyberspace is the new Las Vegas. President Barack Obama holds the first-ever White House summit on cybersecurity, DARPA runs its Cyber Grand Challenge tournament designed to speed defense against cyberattacks. The show CSI: Cyber launches, featuring Patricia Arquette as head of the FBI cybercrime division. Oh, and John Ellis Bush is running for the White House.

Despite the effort we’ve expended over the past 10 years to secure cyberspace, cybercrime is increasing. Incidences against high-profile consumer retail, banking, health care and utility companies fill the news, and headlines proclaim growing privacy concerns and cyber threat incidences against government entities.

Consider the following breaches -- a decade apart and yet eerily similar:

  • In 2005, hackers broke into CSS, one of the top payment processors for Visa, MasterCard and American Express, exposing 40 million credit card accounts and ultimately forcing CSS into acquisition.
  • In February 2015, the New York Times reports an unknown group of hackers has allegedly stolen $300 million -- possibly as much as triple that amount -- from banks across the world.

As the French proverb puts it, “Plus ça change, plus c’est la même chose.“ While much has changed over the last decade, much remains the same.

The Weakest Link

Our grandfathers did business by looking a person in the eye and deciding whether that person could be trusted. Cyber-trust is our equivalent. Nicholas Negroponte warned us two decades ago in "Double Agents" about the risks of trust in cyberspace:

When you delegate the tasks of mowing your lawn, washing your car or cleaning your suit, very little privacy is at stake. By contrast, when you hand over the management of your medical, legal or financial affairs to another human, the performance of those tasks depends on your willingness to reveal very private and personal information. …That is achieved solely through trust and mutual respect. In the digital world, such high regard and real confidence will be more difficult to accomplish.”

So how do we secure cyberspace? Gone are the days when perimeter firewalls formed sufficient security protection. We require layers of multi-factor, mutual authentication security and authorization controls in today’s complex environment.

Cyberspace is a network of networks, a virtual coming together of consumers, companies and nations. Bad actors proliferate, and they run the gamut from criminals to ill-advised employees, consumers and even disembodied computer agents. The weakest-link principal applies here. Cyberspace must be secured not only against bad actors, but against bad behaviors.

Cyberspace is Unstructured

Cyberspace is messy. Web pundit David Weinberger argues that we “have to get rid of the idea that there’s a best way of organizing the [cyberspace] world.” He believes that the web’s messiness is an inherent virtue. “Filter on the way out, not on the way in,” he writes, predicting the emergence of what he calls a “third order” of knowledge.

We share a responsibility to defend this unstructured virtual world of knowledge, and it is increasingly critical to also protect the services and commerce that live in or travel through cyberspace. I vividly recall Congressman Adam Putnam’s call to action at a Congressional oversight hearing a decade ago, a speech that could well have been delivered last week:

Today I call on everyone in this nation to take immediate action to increase your protection and to dramatically improve the cyber security profile … there is clear evidence that national security and economic stability are at risk from attack in the cyber world … there must be a renewed commitment to securing computer networks and protecting the information assets they contain.”

The technologies to create a secure cyberspace exist, including powerful data encryption, mutual identification, multi-factor authentication, information governance and access control. However, it is not just a question of what technologies we apply, but how and to what extent we apply these protections. Cyberspace protections can’t just be bolted on. They need to be an integral part of all of our systems, apps and communities -- now increasingly cloud based.

Mobile is Proliferating

Protections need to also be extended to all of our connected devices. In my 2005 cyberspace paper, I observed:

[We must] include the mobile workforce as an integral part of the cyber security protections. There is a tremendous opportunity to improve workflow and productivity at the 'point-of-impact' by delivering secure information in cyberspace. If perimeter security is the only emphasis, then mobile will be a 'weakest link' that threatens security.”

The mobile devices I worried about a decade ago remain a major concern for today’s cyber defense strategists. And now all the devices that are proliferating in the Internet of Things (IoT) are weaving a new layer of cyberspace that must be protected. Two years ago, in Dr. Seuss and the Internet of Things, I talked about the new challenges IoT would present:

With the Internet of Things, physical devices and flows are inextricably united with their information ... It turns out that this tight coupling, along with a concomitant convergence of operational and business systems, raises some very big governance and risk challenges for those in the enterprise concerned with information management.”

Gartner’s Peter Sondergaard wrote in Forbes that Securing the Internet of Things represents new challenges in terms of the type, scale and complexity of the technologies and services that are required.

The Internet of Things means sensitive information, such as device operation details and personal data, transitions from moving within secure networks to moving between third parties. The risks of having information travel between externally controlled appliances, customers and sensory-based technology challenges traditional, layered-protection security management.“

And just last month in the Risk & Compliance Journal, Gary Davis, Intel Security’s chief consumer security evangelist, addressed the cyber defense issues companies face in this era of the IoT, confirming mobile as “the attack surface that malicious people are going to target.”

The challenges of securing an increasingly dense and interconnected cyberspace have clearly escalated.

Cyberspace is Personal

All is not lost. In the quest to protect our valuable information assets, we have seen progress in the implementation of deeper and wider information protection mechanisms, as well as tighter user policies, and stronger personal access controls.

In the financial services sector, there have been ever-improving data and communication encryption and certification standards like the PCI DSS standard, which the CSS incident pre-dated. And new innovative protective capabilities are coming to market, like Trunomi's TruLink and TruMobile, that verify identity on the customer mobile device and enable them to share personal identifiable information securely.

At the same time, the digital revolution has increased the natural tensions that surround data availability, security and personal privacy rights.

The collection, analysis, and use of personal information for public purposes isn't a modern phenomena. As far back as the eleventh century, monarchs collected information on their subjects to plan taxation and other state affairs. William the Conqueror collected information on his subjects in the Domesday Book using pen, ink and vellum.

We now have technology that delivers enormous storage capacity and instant retrieval speed, processing and utilization of personal information. The process has become so efficient and integrated that it is often impossible to separate it into its component parts, and it is being employed by governments and the private sector alike.

In healthcare the HIPAA (Health Insurance Portability and Accountability Act) standards and related security technology help protect our information privacy. The 1996 HIPAA Security Rule established US “national standards to protect individuals’ electronic personal health information” to ensure the "confidentiality, integrity and security of electronic protected health information.”

Medical identity theft is increasing though, by a whopping 21.7 percent last year. Unlike the financial services industry, which evolved to detect fraud and absorb costs, the healthcare industry has much to do in this area. And the recent Ebola health crisis has raised the question, “when does collecting information for the security of many trump the privacy of one?”

In retail, commerce technologies like DoubleClick appear to almost instantaneously collect and contextually serve up our personal information. Something I realize every time Facebook shows me the Art.com paintings I looked at 5 minutes previously.

In the future, agents and push technologies may map our next purchase, the brand and how much we can afford, raising new questions of ensuring both privacy and cybersecurity.

We are conflicted as well about the technologies we employ for cyber defense in the public sector. Tension is evident in attempts to balance personal privacy with national and international security concerns. The US Patriot Act provisions illustrate this.

Driven by broad concerns following the September 11 attacks and 2001 anthrax attacks, Congress passed legislation to strengthen security controls, but critics claim the law encroaches on civil liberties and privacy rights. As recently as last month, private sector executives voiced the need for privacy measures. Apple CEO Tim Cook grabbed headlines when he preceded President Obama at the White House cybersecurity summit with an impassioned plea for the right to privacy and un-crackable encryption.

All Together Now

What prompted me to write that paper on cyberspace challenges a decade ago?

Insufficient facts always invite danger.” -- Spock, Star Trek: The Original Series, "Space Seed"

At the time I was part of a small cybersecurity technology company and was privileged to support my then CEO with her work on the President’s National Infrastructure Advisory Council (NIAC). As a Special Point of Contact or SPOC (and yes the Star Trek allusion was not lost on us), I joined dedicated professionals from the public sector and companies like CISCO, Akamai and Intel -- now very much at the center of protecting cyberspace -- in their mission to “provide the President through the Secretary of Homeland Security with advice on the security of the critical infrastructure sectors and their information systems.” Our focus was to search for and understand the facts in order to drive informed public-private sector cyber security recommendations.

In my current role at a global enterprise information management company, my interest in securing cyberspace continues, as does my belief that we must tackle this challenge together. President Obama convened last month’s White House summit on cybersecurity at Stanford University to do just that:

To bring everybody together, industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students, … to strengthen [the] approach to cybersecurity threats, including engaging with international partners to promote an open, interoperable, secure, and reliable cyberspace.”

While a glance back may reveal how far we have traveled in 10 years to meet the challenges of securing cyberspace, looking forward we can agree that much work remains to be get the job done.

Creative Commons Creative Commons Attribution 2.0 Generic License Title image by  CarbonNYC [in SF!]